Internet communications architecture relies on HTTP traffic between web servers and web browsers. When the communications are deemed to have a security requirement, Secure Sockets Layer (SSL) is the de facto standard. An historical perspective provides the context that the initial offering of SSL was in response to the desire to use the Internet as a commerce system. SSL was developed and deployed as a commercial solution outside of any standards or best practices at the time. The attainment by SSL to the level of de facto standard, as well as post-introductory standardization of the technology and its follow-on, Transport Layer Security (TLS), has made clear that any new system of security for HTTP communications should deliver the same technical as well as ease-of-use capabilities.
What is needed is a way to meet and exceed the standards-based minimums of SSL/TLS, while solving outstanding performance, complexity and security problems. In particular, a better security scheme would have improved performance in terms of fewer steps and less computational effort to deliver a comparable level of security. A better protocol would be less complex, with simpler processing, less processing per step and a better end-user security experience. It would use less bandwidth by using less data and fewer transmissions. It would be scalable and capable of peer to peer trust instead of being limited to a hierarchical scheme. The security of a better scheme would include regular mutual authentication, with easily defined session lengths down to the individual message level for shorter key life. Ideally, a better protocol would employ provably secure mathematics.